From 3783ae049572717d822deebdb4ffe2ad01bdf15f Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 30 Oct 2019 12:59:51 -0700 Subject: [PATCH] update policy --- samples/best_practices/disallow_host_filesystem.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/samples/best_practices/disallow_host_filesystem.yaml b/samples/best_practices/disallow_host_filesystem.yaml index a9b6b988f6..27268b2694 100644 --- a/samples/best_practices/disallow_host_filesystem.yaml +++ b/samples/best_practices/disallow_host_filesystem.yaml @@ -4,9 +4,13 @@ metadata: name: "deny-use-of-host-fs" annotations: policies.kyverno.io/category: Data Protection - policies.kyverno.io/description: The volume of type 'hostpath' binds pods to a specific host, - and data persisted in the volume is dependent on the life of the node. In a shared cluster, - it is recommeded that applications are independent of hosts. + policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind + mounts (i.e. directories and volumes mounted to a host path) in containers. Using host + resources can be used to access shared data or escalate priviliges. Also, this couples pods + to a specific host and data persisted in the `hostPath` volume is coupled to the life of the + node leading to potential pod scheduling failures. It is highly recommeded that applications + are designed to be decoupled from the underlying infrstructure (in this case, nodes). + spec: rules: - name: "deny-use-of-host-fs"